In recent years, a vein pattern has gotten attention as a biological characteristic. An authentication apparatus extracts a vein pattern in image data which is obtained as an imaging result of a finger or the like and determines that authentication is successful when a result of collation (correlation value) between the extracted vein pattern and registered vein pattern is equal to or larger than a predetermined threshold.
Such an authentication apparatus may be provided with a function of preventing a third party from being erroneously approved as a valid user by the authentication apparatus, that is, a so-called spoofing.
For example, the authentication apparatus executes a first collation of collating authentication data input at authentication request time with registration data and a second collation of collating the authentication data with previous authentication data previously input and authenticated. When a result of the first collation shows coincidence and a result of the second collation does not show coincidence, the apparatus accepts authentication, while when both the results of the first and second collations show coincidence, the apparatus rejects authentication. With this configuration, if a third party who has acquired authentication data that a valid user had input for authentication tries to use the authentication data, the apparatus can reject authentication (refer to, e.g., Patent Document 1).
When, e.g., a radish is picked up as image data in place of a finger, a pattern (hereinafter, referred to as a pseudo vein pattern) similar to a vein pattern can be obtained since vessels, phloems, bundles, and the like that run throughout the inside of the radish resemble the vessels in a human body. Thus, it is reported that “spoofing by a radish” is possible (refer to Non-Patent Document 1).    Patent Document 1: Jpn. Pat. Appln. Laid-Open Publication No. 2002-259345    Non-Patent Document 1: Tsutomu Matsumoto, “Biometrics in financial transactions,” Apr. 15, 2005, Financial Services Agency—-9th study group on fake cash card.
However, the above method detects spoofing based on the relationship (coincide or not coincide) between the current input and previous input, so that when a pseudo vein pattern is sequentially input using, e.g., a radish until it coincides with registration data, or when random number data that coincides with registration data in a pseudo manner is input, a situation may arise in which a third party is erroneously approved as a valid user, resulting in increased possibility of spoofing.